Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
26-11-2024 00:49
General
-
Target
724732eda390cb64fd105e7d251c2ec79da91b54f76ff8cacc621ca79ad72d5c.exe
-
Size
7.1MB
-
MD5
619afea6aff8b04b05222527b1da2bba
-
SHA1
6e3aa7b9f24bff7b624e5ecc8aaf1615d05d05e5
-
SHA256
724732eda390cb64fd105e7d251c2ec79da91b54f76ff8cacc621ca79ad72d5c
-
SHA512
059e7c4014e71154808a000a014b93ab19b54070237121ede794ca773266e01bd0dd969ec9d1ddb9fee11515298c03e952367c6e2a4e73ef568a436ff6ac993e
-
SSDEEP
196608:qZQzJnlM+Tq+KX+TiRxcide1DR4mfbPmf0O:qZQz7fKs1DKwm
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Detect Poverty Stealer Payload 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
-
Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
-
Povertystealer family
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 22 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 21 IoCs
-
Identifies Wine through registry keys 2 TTPs 11 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 26 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 63 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 16 IoCs
-
Suspicious use of FindShellTrayWindow 59 IoCs
-
Suspicious use of SendNotifyMessage 31 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SysWOW64\fontdrvhost.exe"C:\Windows\System32\fontdrvhost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\724732eda390cb64fd105e7d251c2ec79da91b54f76ff8cacc621ca79ad72d5c.exe"C:\Users\Admin\AppData\Local\Temp\724732eda390cb64fd105e7d251c2ec79da91b54f76ff8cacc621ca79ad72d5c.exe"2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a2k57.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a2k57.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8p71.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8p71.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1W48q7.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1W48q7.exe5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1009118001\x4lburt.exe"C:\Users\Admin\AppData\Local\Temp\1009118001\x4lburt.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\computerlead.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\computerlead.exe8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"9⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5164 -s 60010⤵
- Program crash
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009146001\xl.exe"C:\Users\Admin\AppData\Local\Temp\1009146001\xl.exe"7⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Users\Admin\AppData\Local\Temp\1009157001\1Shasou.exe"C:\Users\Admin\AppData\Local\Temp\1009157001\1Shasou.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\1009162001\6328d60ca4.exe"C:\Users\Admin\AppData\Local\Temp\1009162001\6328d60ca4.exe"7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1009163001\82d6528556.exe"C:\Users\Admin\AppData\Local\Temp\1009163001\82d6528556.exe"7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1009164001\c2fc27a15b.exe"C:\Users\Admin\AppData\Local\Temp\1009164001\c2fc27a15b.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking8⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking9⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2060 -parentBuildID 20240401114208 -prefsHandle 1984 -prefMapHandle 1796 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {09f1b881-8bcd-4e02-a62f-f0aa43832170} 2924 "\\.\pipe\gecko-crash-server-pipe.2924" gpu10⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2492 -parentBuildID 20240401114208 -prefsHandle 2468 -prefMapHandle 2464 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1bb50271-20bf-4b48-af29-4c234cc524ec} 2924 "\\.\pipe\gecko-crash-server-pipe.2924" socket10⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3388 -childID 1 -isForBrowser -prefsHandle 3264 -prefMapHandle 3292 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {14730343-168e-499a-b09e-4a65a60c13f4} 2924 "\\.\pipe\gecko-crash-server-pipe.2924" tab10⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3084 -childID 2 -isForBrowser -prefsHandle 3636 -prefMapHandle 2712 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba1cbe09-632c-438d-8ce5-44fb10f0f2af} 2924 "\\.\pipe\gecko-crash-server-pipe.2924" tab10⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4676 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4780 -prefMapHandle 4776 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb5cc0a5-4eae-4f19-a318-db8c6fd8f79d} 2924 "\\.\pipe\gecko-crash-server-pipe.2924" utility10⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5532 -childID 3 -isForBrowser -prefsHandle 4780 -prefMapHandle 5184 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {10d31607-f61c-4fee-a995-807491f8b0db} 2924 "\\.\pipe\gecko-crash-server-pipe.2924" tab10⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5268 -childID 4 -isForBrowser -prefsHandle 5676 -prefMapHandle 5680 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d09a6de-779c-4d79-9fe0-623369c6148a} 2924 "\\.\pipe\gecko-crash-server-pipe.2924" tab10⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5860 -childID 5 -isForBrowser -prefsHandle 5476 -prefMapHandle 5488 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1d56d63-9537-4061-ac01-4614af5e7637} 2924 "\\.\pipe\gecko-crash-server-pipe.2924" tab10⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009165001\ed24aa3d48.exe"C:\Users\Admin\AppData\Local\Temp\1009165001\ed24aa3d48.exe"7⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\1009166001\016d402cda.exe"C:\Users\Admin\AppData\Local\Temp\1009166001\016d402cda.exe"7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"8⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff865c1cc40,0x7ff865c1cc4c,0x7ff865c1cc589⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,14667369067283253560,15953354725080893289,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1924 /prefetch:29⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2164,i,14667369067283253560,15953354725080893289,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2044 /prefetch:39⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2280,i,14667369067283253560,15953354725080893289,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2464 /prefetch:89⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3244,i,14667369067283253560,15953354725080893289,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3248 /prefetch:19⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3272,i,14667369067283253560,15953354725080893289,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3288 /prefetch:19⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4588,i,14667369067283253560,15953354725080893289,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4644 /prefetch:19⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f8⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 13848⤵
- Program crash
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2m7996.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2m7996.exe5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3o57y.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3o57y.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4u579h.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4u579h.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009146001\xl.exe"C:\Users\Admin\AppData\Local\Temp\1009146001\xl.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5164 -ip 51641⤵
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4284 -ip 42841⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
27KB
MD5e149a5b59e31324bd846c470170335d4
SHA134da40b94c024dd39c41e1baeccdfcf6700aa587
SHA256fa20010af41c7feef35460271cc01cc9497353c9defba223221b77daa2695672
SHA5128d12390f18e7a324a2c3fdf2239ac36d15a0501a2211f59c2fa93b7c4a2692cd2579bc8ee84c3b88112739d857ffbbeec250191f8857a6fede81e1509eaa9555
-
Filesize
13KB
MD5f8993314fd024e69ab0bf2b73ad89a3b
SHA15f158bbcf4b3ae0d3b1e73befbd40222d8cb414d
SHA25669883884c5c549a06e9200df494b25012d3dec711b8fbc7ae2d201e49b9b064c
SHA5127beaf505526673d15f95f15f20a9c25bfdd818fe69034daea63c9b78590dc712078c24ebd1f3bc631fb5f1584dfd511ec4557517c90cb25485972fdb03e7959a
-
Filesize
932KB
MD596a7b754ca8e8f35ae9e2b88b9f25658
SHA1ed24a27a726b87c1d5bf1da60527e5801603bb8e
SHA25621d262741b3661b4bf1569f744dc5b5e6119cfa4f0748b9c0fa240f75442cc50
SHA512facb2e44f5a506349710e9b2d29f6664357d057444a6bd994cf3901dee7bea471247b47496cc4480f1ad2fac4b1867117072ea7a0bfa83d55ced4e00dda96745
-
Filesize
228KB
MD50a089e934eb856c3e809d0fac53000c7
SHA1661f86072031587be18ada0b6606ee82bb52038f
SHA256f4e5ec593dcb18dca253d98f5133050e96f27f86c1e46b5882abf797fefe26b1
SHA512026152c47e9547d1f2c254bdb824f9b8ac113df6b3a98c61b1ac4adde0286dc8a06ade4a3bd73a149b4a9eaad0f86d702ab4b4042dbb7c17cc0af5a14e34cadc
-
Filesize
29KB
MD5d0038532ae6cec64be83bc19d0b8f695
SHA117a23380f80068d15ebc014cb2b1748bb45fb5c1
SHA256b412dd132cb21a0d4d7bb622c6fe49f9e6c5c934201815d570db774ac80194f5
SHA512af269471f7093445fb05bc6d6d185f9e48d0666674a3de50c4217757d3fdf39b067668bf2ca37eac91d5cb203c3ce3d4d634661e470d84d12c80c332344503ea
-
Filesize
901KB
MD5396550510e969006e52ea8931b9a79e0
SHA169a1977c9bc1caefbe14e37dab010b7044f71a23
SHA256da90d008b44097ea1201a68c6d6f4bb294eff9c62486ec0c67dde91d9d9c24ce
SHA51211e081f23121c6cb122c502dd9ef90fd00913ec2c21b077a84d0a3cb2239847096d4541a46b9277facd9ff1188af3cc178af0606427c63fad383c5c2ee7e8a62
-
Filesize
4.2MB
MD5e3f5abc2332ea769c91f7c6f2a5a664a
SHA12969a201926786c2e4d03f215077d2abec517dec
SHA2566bf3521dbb4d8610035627fd1ffba23169aaba4c7ed723522a1a73386edf5b69
SHA5126a2f821451483ad5781b761bd9f462fcbf6239c1d6260d2af02f128680588c56fb4b03ad199a01334ce50d4a351393a2dd69abd345fe949434c5733078949f2a
-
Filesize
2.6MB
MD522370d009f56cb4eaa0c65191c9ce569
SHA161709a4936735ee99136b7dc86de24480146d8b5
SHA2563c15b93399455363458932130652659f24d2415b1dc2ef02ace1f943cb83e78d
SHA512b35ac9f727ca14431375b29188029a3ffed85b076de97c3295d2303a9ab329fb0428da444276c2443698f770f2e9f8f85462dd11a36020826d52be7929f81734
-
Filesize
5.6MB
MD551ade2e68fc110a5633bd23abd4fff9d
SHA13bed1f8761d1bd7a7dd6e8bb17ddaa98ce8360fc
SHA25621dc862eec0429d07caceb06217f1674dd29d09ac1954cd56cb4bc12123c4797
SHA512648846ba77a8b1d98742bada29175d14d150e434ee5d4f03f5f8907eae60eb30a509a81ee2e02d88512f96176586612fa596cb55d65999439f8351744afcde85
-
Filesize
1.7MB
MD5ded0eb089d3679972dcf011246f04abc
SHA1222c4fdea41b569389fa64ff718b5f9944b5faea
SHA25691c13e6200f741745516347b90adc8b5dea0c43f0b0163f6035570142a5153f6
SHA512eaf8e2c036574a001d77472d96b5af088bd1e4777229d504870e3d0743285374c223a9de93b2cecc9927eb8af3c039ab5a8be888ee82e9d0a63990025f7274d9
-
Filesize
3.8MB
MD5f8d97b0a2906a878173a6b4d40defcdf
SHA10e7ca297cd875af6d8d15bdc7df1b84989851e9e
SHA256810fc057b8beda9e4d44c9c3f334c610f691306ea1c0598373d455da92179a5d
SHA512fa165f853c35411bf6940c53f8b5f63976b01b96ff41b99710f38f15e903ed5cf217b6c1e216f698b6f3fe40a7cb1a23bcd9f0b75c8b3f6f9b48372ab5ba38c0
-
Filesize
1.9MB
MD5f324cf036831114e3c8c681220ca0489
SHA144bf59a5f94477316d0e410fad8d2ea4b552a37d
SHA256fd15d97c8fc88aa354c097d5e94d69ac2389e0383baa7fb6fe32e56655b501ed
SHA51268c0138aa66b76ec360bd775cb6dd2a80aa7d8e09159061b2c957b5bff12641767ac38c92b293242b5219ab3ed0efa423f1305f0b39e8372838a39dbea5ba47c
-
Filesize
1.8MB
MD51ae6f683a54eda849fd92462d37f1937
SHA19c98888d6444414719478467a0bcb7467311268f
SHA2560419321447abb2012698b519a851f6ce4ad90dcedd457f8e7fe9c5b64af07fcc
SHA512a45a42171982b6e5dfb30e1e30aee8860bb63cbc744eb0e9c8ca3f795a47d27c1a43e86a42e3520318bc3ff47abaed603f1634d0cde7af90fa258ae57698bc04
-
Filesize
1.1MB
MD52354e800eefc681a7d60f3b6b28acfd9
SHA110b6a3d9d2283b5f98c9924fa1fca6da79edb720
SHA256d3c21f6c3892f0c444ffb4b06f962caddf68d2c3938bbd399a3056db255007e3
SHA5120395737b77891d8cf7761266c2b3d594deb8e742bd5f12f15f58b2c161c242356b953ebf8cd1f41924a917b2c1332bd2e05ef275efd2419a6134a60729195354
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
6KB
MD55c7a8c30b513fc9380d70c83dbc7ba1a
SHA1c9f8d9de79812dbbf67a5422a88fb363ee50f7da
SHA256b2e05021f5531d0ac8d4a0cef4d500a3352647c0924feb0cd8109de57507e058
SHA51217d38b1cd62ec1a5ed947a4fdf393a776e26e5bfb8fe80eb2a5e19fd86350b30d3463d7d86ddfbc1bfd184add60e8400baced5eaa53d3d661c80cff7fa9f2eaf
-
Filesize
7KB
MD548fa97fbad44f28b8e42ad7890cf5cfc
SHA17994a73dc23a9d8a53d9dc88565984863a74676c
SHA256b387fda075f11db9680507896e971803e4cbc35e7029d79ecb8e193166ac071c
SHA5120cf982963b9f76f63222ff6ba342725fc47ff38b057917fc7123dc7eb74ca974b4ffacaecb288a755248dbab5701390acd28a2dd748a09409304e451dea36a41
-
Filesize
10KB
MD5baf408302b0c0d5ddf22d86eafce06f0
SHA155e7b36574fa3cc23c92d3af448ce81e8aa4b0bd
SHA25628c1521eaff8a36c874769827868b0af17b927f088f554285b98bb1398171569
SHA512feae1821103b4627545d8a6032d155dcacbd80013ac03dabbd2474afdcd45c840dfe62eaacac57a5da76696ebf68462b800e8c9b2e1fc92df7a6a09714d917d4
-
Filesize
23KB
MD5a594c82f428e08630672671a9b8ccf0e
SHA1c8987700cda8d8eabf7c67c5ecbd90cc4dbf02da
SHA256dd308a66353c4c08c4f27c7ed753b3f952fe9f9c795ab83ae956d11b959f8726
SHA51251e1f9b1a0f03e1886d73dd73bec36f4b452965606d4fd58e3f77d5ba745d2cc963ca0cd97abbd5f19e218f8dbb0433686185ac197b45178708fd2d33b15a1d6
-
Filesize
24KB
MD589bdf6f00a073a50b6c6ab77130f103a
SHA192ac9e7fe897178dbf13debf42932c5c4cbcfd18
SHA2560138525f00752dbe4943166c98060093488f80cd2c931e23069a2d060332116f
SHA512a5590e16c057825086233846c32810b1d4c03d04da9f56ec41d5fe2d18923033eb71b4d84e0a89a036eb9657ec859ece82184befd886c5d62514ebb0d2ec092d
-
Filesize
24KB
MD58a5cf0deb47875df0e8b2728f360b05b
SHA1bbfae3c3ac763a04de3bfc3fd53bfa5849eaab07
SHA256f8e0dbb9e633a04be2d11b64fbf3f31fa5948d713e0880fa1c97f64996431622
SHA51234f0ea75dad12cb51ff9f2edf6536002650b1953f6f69f9752895231c78b14e4c72b9ac810bd218dd1e8f6935ff9c1cb331fa7c0c83870dfcd75747e93c55328
-
Filesize
24KB
MD567599ed34a77588ac4b7bcf7d44b2e19
SHA12365c8f7c9740e68bd3ba318b81a9c4fad1f4941
SHA2565bbc9cf4402489e9bd18a40c1e8164580eea184babae3fbb044c18b1814b6853
SHA512f3e59aa417bedf8a2d6623f3039ed9289c7e5903738d5cab0b330d9126264bb05baa15c47b04eb82f2e412c01813c1eb93bd60b0c34bc958acb84e794af19191
-
Filesize
21KB
MD5cabb1c41c1fd4b2dcd8fa638b7c40346
SHA16569aaa233baadd20d5ed9839fc972cad71cf8f6
SHA2565ca47821c864181bb59bc58b25392b936b6236fffa152e5a213ba5a069b692ad
SHA51252bbdf76c30f60dedefc44cf0d302d87df6f25ea5b0b3b1c8409825d385b768d096464811fce7d3d55a21e6cdbc3a5d15bea6091ad69f16cb3519fcb4cb1eb1b
-
Filesize
21KB
MD50dcdf78096acff2732fdc0dc747f0e03
SHA104d9e35f4931cbc40ac65e17fc0f937b977bf0cc
SHA256b86545707adbd217fa1147551cca993b448660e555423721c0921504c93034dc
SHA5125e19e6148d808493f21527a6cef6227b4df49c4a642f17f7d0721b87779b08e9da4693335a825f007e8c6d4d3c4dbf79f61f5f8a95883cdce7da6c1f0636e00c
-
Filesize
21KB
MD5b5757e4b29d40b46ffc00e3a81da1ce7
SHA1161ae3629042097e680f70f9f2ed4ed704dd782a
SHA256dcf013b8c4029c6a3c83c2789e5d29e3ab63eb8e68ea3818eee6111790aa6113
SHA512523afabcd5cb7ce0ef573c2548efa01e779de466727c950fb2e4b5d5eb3da153ce3ed5006045b44dfe9b98f4f77f968efd046ac8f9cfc247be7fd64e57c6a5db
-
Filesize
22KB
MD51a48643b230522021e4b0a6f15402db4
SHA198de61a7d7a4ce79eda4204102413cc1cedbfb0e
SHA25659314e941887e0b9ce5ebe92a743df169e442f2fb4a85fc366fae4e63455d5b5
SHA512aa9c7ca89e30c80883b7bebda638c006afffaac5d418fdefb8381998002e5d564abff0994935977a3ac1c91a5b14a446b4a33058de69f0907158c25d6906d983
-
Filesize
24KB
MD5ddfad727b6519f19a2863ef5bb2d1468
SHA1943268c3ca41892669e90058a0ebefc88a15b122
SHA2560cbfe43e344f733a2544798782cfff432ace324fbefb3d8303aefca732e1ce1f
SHA5127d9335fd7fefd2cb153a27746d73479ee96eb29e23d5fc1445b2eea422e8e6a1401f7c875a89c799354465083ea3a08cb747e4831fbcc3a76fede1d4843757c5
-
Filesize
982B
MD530926101640d532751c537592088dc4c
SHA196b4d031b3563e3537bdae28c6da894479f62340
SHA25647579881a0a021c1182c450c6d8667961fed95e91dc32af2d6dfe03ca8104a0a
SHA51271822c39a6e6b897dbea38e9a96714ff906c76bc18f26e4e4a7980315c23da4d66b0005f621b357be46dcbf46289a7e738dbd52cf8a21203f4f9fd887163249e
-
Filesize
659B
MD59aa6902bb8c7e1e51a1984db760dfbf9
SHA102545b3f915634470a07c7feb4686cac4b7f8f20
SHA2569f30a928cd8843ef81ed663a264a2b41cfc8f6a96701df93dbaf3e732b6901d6
SHA512873a9fde90046d1b47a80ce08620cf4321c9d9338c7540ce46c774ac7251dc2f903e03a1dbc7ad160da9f9062735e60466dcd82527d3c6c9780460519dad11ff
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD57112a2689a87cb2b38571d0405d78263
SHA1a1a1bfc4a8625f8ec562bcd42d5aeb786fa73c13
SHA2565b4da75360bebb8ab210960961939f1b609f1a70b03142bfffbbc9c79322e76f
SHA512c25aaa63bc9c2e55aa770a26d89f3856c721f333cdeeae0137cc63ba485b703709391b0086e96558b8c8991916893977670efcaef822768c0c58cd89901bb75a
-
Filesize
15KB
MD513bb2c9d57afd9251cfe5a3b7c6d2089
SHA1274e95e7dfd33d28b0b1d2f10bd54dd22a25c6c5
SHA2565d444e6d0e689710be2e998195471dcd86d0a0f550f83cfa7918b9eeebc54674
SHA512f133aa5708a3dc751682d7a83dfaa880bea27af187b05c989a40c18b02d94d64ec9df5c25d7bdadd0162b0ce89d942dba6acf8d1a1fe1d1a58f6f7b793ac4b0a
-
Filesize
10KB
MD5b70d01c4b7b4b64b26f15687492a5bf0
SHA1b74f010d0e02d5b0ea15542a750a7d80f9e9b007
SHA256b7805dd4b26b5f5c79871218a302bc231ca2f45ee402f7447e0aa57e3d4318c4
SHA512db9aab016cc0f3ce0a09ed0360d7b2cff29a0982f1afad241cdace2c842b4b205ee36654c8c226e0e7ad9ef4bda178ecebfcaab16fc31f25513f18d19589bd12
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
1.1MB
-
Filesize
5.6MB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
152KB
-
Filesize
624KB
-
Filesize
24KB
-
Filesize
104KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
616KB
-
Filesize
304KB
-
Filesize
336KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.2MB
-
Filesize
256KB
-
Filesize
1.1MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB